Every article in this cluster assumes some baseline familiarity with Microsoft Entra ID — the identity platform underneath every Microsoft 365 sign-in, every Conditional Access policy, and every Secure Score recommendation this cluster covers. This article establishes that baseline: what Entra ID actually is, how it relates to (and differs from) on-premises Active Directory, and the licensing tiers that determine which capabilities are actually available in a given tenant.
What Entra ID is
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management platform. It is the single source of truth for "who is this user, what license do they have, and what are they allowed to access" across Microsoft 365, Azure, and any third-party application connected via SSO (see Single Sign-On and Federation Explained for how that connection actually works). Every Microsoft 365 tenant has an Entra ID instance whether or not an administrator has ever directly configured it.
Entra ID is not the same product as on-premises Active Directory
Despite the shared naming history, Entra ID is architecturally distinct from on-premises Active Directory Domain Services (AD DS) — it's a cloud-native, REST/HTTPS-based directory, not a downward-compatible cloud version of AD DS. Organizations with an existing on-premises AD DS environment typically run both, connected via Entra Connect (see below), rather than replacing one with the other outright.
Core objects
| Object | Purpose |
|---|---|
| User | An individual identity — employee, contractor, or guest — that authenticates and is assigned licenses and roles. |
| Group | A collection of users (or devices) used to assign access, licenses, or Conditional Access policy scope in bulk rather than per-user. |
| Application registration | Represents an application that authenticates against Entra ID, whether Microsoft's own or a third-party SSO integration. |
| Device | A registered or joined device, used as a Conditional Access signal (compliant/managed device requirements). |
| Administrative role | A defined set of permissions (Global Administrator, User Administrator, etc.) assignable to a user, ideally via just-in-time activation — see Privileged Identity Management and Privileged Access. |
Hybrid identity: Entra ID and on-premises Active Directory together
Many organizations don't choose between Entra ID and on-premises Active Directory — they run both, synchronized via Entra Connect (formerly Azure AD Connect). In this hybrid model, user accounts are created and managed in on-premises AD DS and synchronized to Entra ID, which then handles cloud authentication for Microsoft 365 and any connected SSO applications.
Hybrid identity means two policy layers to keep aligned
In a hybrid environment, password policy, for instance, can be governed at either layer — see Microsoft Password Best Practices for why this specifically affects password expiration settings. Changing a setting in Entra ID alone does not necessarily override an on-premises Group Policy Object still enforcing the old behavior.
Cloud-only organizations — those with no on-premises Active Directory at all — manage user accounts directly in Entra ID, which is increasingly common for organizations founded after cloud-first tooling became standard, or those that have fully migrated away from on-premises infrastructure.
Licensing tiers that gate cluster-relevant features
Several capabilities covered elsewhere in this cluster require a specific Entra ID licensing tier, not just a Microsoft 365 subscription generally:
| Tier | Unlocks (cluster-relevant) |
|---|---|
| Free (included with Microsoft 365) | Basic user/group management, Security Defaults (baseline MFA) |
| Entra ID P1 | Conditional Access, hybrid identity features — see Microsoft Entra Conditional Access: A Practical Guide |
| Entra ID P2 | Entra ID Protection (risk-based sign-in detection), Privileged Identity Management (PIM) |
Understanding which tier a tenant has is often the first practical question when evaluating why a recommended control (Conditional Access, PIM, risk-based policies) isn't available in the admin console — it's frequently a licensing gap, not a configuration one. See Microsoft Licensing Advisor for how to reason from a target architecture to the specific bundle and add-on tiers it requires.
How this connects to the rest of the cluster
This overview is intentionally the entry point for the Microsoft 365 Security cluster: Microsoft Secure Score Guide measures your posture against Entra ID and other M365 settings; Conditional Access Best Practices and Microsoft Entra ID Protection both require the P1/P2 licensing described above; and Microsoft 365 Security Architecture shows how Entra ID sits at the center of the full Microsoft security stack.
Common mistakes
- Assuming a recommended control is "broken" when it's actually a licensing gap. Confirm the tenant's Entra ID tier before troubleshooting a missing Conditional Access or PIM option.
- Treating hybrid identity as a one-time migration project rather than an ongoing two-layer system. Password policy, group membership, and several other settings need to be checked at both layers, not just the cloud side.
- Not distinguishing groups used for access from groups used for distribution/collaboration, which complicates both license assignment and Conditional Access policy scoping over time.
FAQ
Do we need Entra ID P1 or P2 if we're a small organization? It depends on which controls matter most for your risk profile. Conditional Access (P1) and risk-based sign-in protection (P2) are both meaningfully valuable security controls covered throughout this cluster — for organizations handling sensitive data, the licensing cost is usually justified relative to the risk reduction.
Is Entra ID the same as "Azure AD"? Yes — Microsoft renamed Azure Active Directory to Microsoft Entra ID; the underlying service is the same, with the rename reflecting Entra's broader identity product family. Documentation and tooling still transitioning to the new name may reference either term.
What happens to Entra ID if we cancel our Microsoft 365 subscription? The Entra ID tenant itself persists at a reduced (free-tier) capability level even without an active Microsoft 365 subscription, though user access to Microsoft 365 apps specifically requires active licensing.